b"Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n              Major Management Challenges \n\n        Facing the Department of Homeland Security \n\n\n\n\n\nOIG-10-16                                    November 2009\n\x0c\x0c                                                                Office of Inspector General\n\n                                                                U.S. Department of Homeland Security\n                                                                Washington, DC 20528\n\n\n\n\nMajor Management Challenges Facing the Department of\n               Homeland Security\n\nThe creation of the Department of Homeland Security (DHS) on March 1, 2003, was the\nmost significant reorganization of the federal government bringing together twenty-two\nfederal agencies in response to the aftermath of 9/11. Since its inception, the Department of\nHomeland Security performs a broad range of activities across a single driving mission to\nsecure America from the entire range of threats that we face.\n\nSix years later, the department is moving beyond operating as an organization in transition to\na department diligently working to protect our borders and critical infrastructure, preventing\ndangerous people and goods from entering our country, and recovering from natural disasters\neffectively. However, while much progress has been done, the department still has much to\ndo to establish a cohesive, efficient, and effective organization.\n\nThe major management challenges we identify facing DHS, including department-wide and\noperational challenges, are a major factor in setting our priorities for audits, inspections, and\nevaluations of DHS\xe2\x80\x99 programs and operations. As required by the Reports Consolidation Act\nof 2000, Pub.L.No. 106-531, we update our assessment of management challenges annually.\nWe have made recommendations in many, but not all, of these areas as a result of our\nreviews and audits of departmental operations. Where applicable, we have footnoted specific\nreports that require DHS\xe2\x80\x99 action.\n\nWe have identified the following major management challenges:\n      \xe2\x80\xa2 Acquisition Management\n      \xe2\x80\xa2 Information Technology Management\n      \xe2\x80\xa2 Emergency Management\n      \xe2\x80\xa2 Grants Management\n      \xe2\x80\xa2 Financial Management\n      \xe2\x80\xa2 Infrastructure Protection\n      \xe2\x80\xa2 Border Security\n      \xe2\x80\xa2 Transportation Security\n      \xe2\x80\xa2 Trade Operations and Security\n\n\n                                                                                                       1\n\x0cSince the major management challenges have tended to remain the same from year to year,\nwe developed scorecards to distinguish the department\xe2\x80\x99s progress in selected areas. Our first\nscorecard, published in the Semiannual Report to Congress, October 1, 2006 \xe2\x80\x93 March 31,\n2007, included an assessment of DHS\xe2\x80\x99 acquisition function. This report features scorecards\nfor acquisition management, information technology management, emergency management,\ngrants management, and financial management.\n\nWe based the ratings on a four-tiered scale ranging from limited to substantial progress 1 :\n      \xe2\x80\xa2\t Limited: While there may be plans to address critical success factors, few if any\n         have been implemented;\n      \xe2\x80\xa2\t Modest: While some improvements have been made, many of the critical success\n         factors have not yet been achieved;\n      \xe2\x80\xa2\t Moderate: Many of the critical success factors have been achieved; and\n      \xe2\x80\xa2\t Substantial: Most or all of the critical success factors have been achieved.\n\nThese five scorecards are summarized in Figure 1 and incorporated in our discussion of the\nmajor management challenges.\n\nFigure 1.\n\n\n           DHS\xe2\x80\x99 OVERALL PROGRESS IN SELECTED AREAS\n    Ratings are based on a four-tiered scale: Limited, Modest, Moderate, and\n    Substantial.\n                                                      FY 2008             FY 2009\n                                                      Modest Progress            Moderate Progress\n\n    Acquisition Management\n\n                                                      Moderate Progress          Moderate Progress\n\n    Information Technology\n    Management\n\n                                                      Moderate Progress          Moderate Progress\n\n    Emergency Management\n\n\n\n\n1\n  Financial Management Scorecard uses different criteria to assess limited to substantial progress, and is shown\nin the Financial Management section of the report.\n\n\n                                                                                                               2\n\x0c         DHS\xe2\x80\x99 OVERALL PROGRESS IN SELECTED AREAS\n Ratings are based on a four-tiered scale: Limited, Modest, Moderate, and\n Substantial.\n                                                   FY 2008             FY 2009\n                                                                     Modest Progress\n Grants Management                                    N/A\n\n\n                                             Modest Progress         Modest Progress\n Financial Management\n\n\n\nACQUISITION MANAGEMENT\nDHS relies on goods and services contractors to help fulfill many of its critical mission areas.\nAs such, effective acquisition management is vital to achieving DHS\xe2\x80\x99 overall mission.\nAcquisition management is much more than simply awarding a contract. It requires a sound\nmanagement infrastructure to identify mission needs; develop strategies to fulfill those needs\nwhile balancing cost, schedule, and performance; and ensure that contract terms are\nsatisfactorily met. A successful acquisition process depends on the following key factors:\n   \xe2\x80\xa2\t Organizational Alignment and Leadership\xe2\x80\x94ensures appropriate placement of the\n      acquisition function, defines and integrates roles and responsibilities, and maintains\n      clear, strong executive leadership;\n   \xe2\x80\xa2\t Policies and Processes\xe2\x80\x94partnering with internal organizations, effective use of\n      project management approaches, and establishment of effective internal controls;\n   \xe2\x80\xa2\t Acquisition Workforce\xe2\x80\x94commitment to human capital management, integration and\n      alignment of human capital approaches with organizational goals, and investment in\n      people; and\n   \xe2\x80\xa2\t Knowledge Management and Information Systems\xe2\x80\x94tracking of key acquisition data,\n      analysis of supplies and services spending, and data stewardship.\n\nAcquisition Management Scorecard\n\nThe following scorecard illustrates areas where DHS improved its acquisition management\npractices, as well as areas where it continues to face challenges. We based our assessment on\nour recent audit reports, Government Accountability Office (GAO) reports, congressional\ntestimony, and our broader knowledge of the acquisition function.\n\nBased on the consolidated result of the four acquisition management capability areas, DHS\nmade \xe2\x80\x9cmoderate\xe2\x80\x9d overall progress in the area of Acquisition Management.\n\n\n\n                                                                                               3\n\x0c                ACQUISITION MANAGEMENT SCORECARD\n                                                                   Modest Progress\nOrganizational Alignment and Leadership\n\nDHS made \xe2\x80\x9cmodest\xe2\x80\x9d progress in improving the acquisition program\xe2\x80\x99s organizational\nalignment and defining roles and responsibilities. The department continues to depend\non a system of dual accountability and collaboration between the chief procurement\nofficer and the component heads, which may sometimes create ambiguity about who is\naccountable for acquisition decisions. However, DHS maintains that the dual authority\nmodel works because the Office of the Chief Procurement Officer (OCPO) retains central\nauthority over all contracting through its contracting officer warrant program and Federal\nAcquisition Certification - Contracting program. According to the department, the heads\nof contracting activities and contracting officers function independently of component\ninfluence as their authority flows from OCPO rather than the component. DHS also\nexpects its proposed Acquisition Line of Business Integration and Management Directive\nto clarify existing authorities and relationships within individual components and the\ndepartment\xe2\x80\x99s Chief Procurement Officer.\n\nAccording to the Government Accountability Office (GAO), 2 DHS has not effectively\nimplemented or adhered to its investment review process, which requires executive\ndecision making at key points in an investment\xe2\x80\x99s life cycle. DHS has not provided the\noversight needed to identify and address cost, schedule, and performance problems in its\nmajor investments due to a lack of involvement by senior management officials as well as\nlimited monitoring and resources.\n\nAlthough FEMA has reorganized its acquisition function to operate strategically, 3 FEMA\nprogram offices have not adequately integrated the acquisition function into their\ndecision-making activities. Planning strategically requires that the Acquisition\nManagement Division partner with other FEMA components and assist them in assessing\ninternal requirements and the impact of external events. FEMA\xe2\x80\x99s Acquisition\nManagement Division has begun to work more closely with program offices to better\nmanage the acquisition process, monitor and provide oversight to achieve desired\noutcomes, and employ knowledge-based acquisition approaches.\n\n                                                                   Moderate Progress\nPolicies and Processes\n\nDHS made \xe2\x80\x9cmoderate\xe2\x80\x9d progress in developing and strengthening its policies and\nprocesses related to acquisition management. Although the department has put a great\n\n2\n  GAO-09-29, Department of Homeland Security: Billions Invested in Major Programs Lack Appropriate \n\nOversight, November 2008. \n\n3\n  DHS-OIG, FEMA's Implementation of Best Practices in the Acquisition Process, (OIG-09-31, February 2009). \n\n\n\n                                                                                                          4\n\x0c                ACQUISITION MANAGEMENT SCORECARD\ndeal of effort into improving its processes and controls over awarding, managing, and\nmonitoring contract funds, it still needs to do more.\nAccording to a May 2009 report by the GAO, 4 DHS provided guidance on award fees 5 in\nits acquisition manual, but individual contracting offices developed their own approaches\nto executing award fee contracts that were not always consistent with the principles in the\nOffice of Management and Budget\xe2\x80\x99s guidance on award fees or among offices within\nDHS. In addition, DHS has not developed methods for evaluating the effectiveness of an\naward fee as a tool for improving contractor performance. FEMA also needs to\naccelerate its planned acquisition process improvements for awarding, managing,\nmonitoring, tracking, and closing-out contracts. 6\n\nDHS is making progress in the oversight of its services contracts. As of March 2009, all\nDHS professional services contracts greater than $1 million will undergo a mandatory\nreview before a new contract is awarded or an existing contract is renewed to ensure that\nproposed contract awards do not include inherently governmental functions or impact\ncore functions that must be performed by federal employees. DHS expects this additional\nreview to add a new level of rigor to the DHS contracting process.\n\n                                                                   Moderate Progress\nAcquisition Workforce\n\nDHS made \xe2\x80\x9cmoderate\xe2\x80\x9d progress in recruiting and retaining a workforce capable of\nmanaging a complex acquisition program, but continues to face workforce challenges\nacross the department. An April 2009 report by the GAO indicated that the Coast Guard\nfilled 717 of its 855 military and civilian personnel positions in the acquisition branch 7\nand planned to expand its acquisition workforce in FY 2011. However, some of its\nunfilled positions are core acquisition positions such as contracting officers and\nspecialists, program management support staff, and engineering and technical specialists.\nAlthough FEMA has improved acquisition training and greatly increased the number of\nacquisition staff, it still needs to better prepare its acquisition workforce for catastrophic\ndisasters. 8\n\n\n\n4\n  GAO-09-630, Federal Contracting: Guidance on Award Fees Has Led to Better Practices but is Not \n\nConsistently Applied, May 2009. \n\n5\n  An award fee is an amount of money that a contractor may earn in whole or in part by meeting or exceeding \n\nsubjective criteria stated in an award fee plan. \n\n6\n  DHS-OIG, Internal Controls in the FEMA Disaster Acquisition Process, (OIG-09-32, February 2009); DHS\xc2\xad\nOIG, Challenges Facing FEMA's Disaster Contract Management, (OIG-09-70, May 2009); DHS-OIG, FEMA's \n\nAcquisition of Two Warehouses to Support Hurricane Katrina Response Operations, (OIG-09-77, June 2009); \n\nDHS-OIG, FEMA's Temporary Housing Unit Program and Storage Site Management, (OIG-09-85, June 2009). \n\n7\n  GAO-09-620T, Coast Guard: Update on Deepwater Program Management, Cost, and Acquisition Workforce, \n\nApril 2009.\n\n8\n  DHS-OIG, Challenges Facing FEMA's Acquisition Workforce, (OIG-09-11, November 2008). \n\n\n\n                                                                                                          5\n\x0c               ACQUISITION MANAGEMENT SCORECARD\n\nIn its response to our November 2008 management challenges report, DHS highlighted\nheadquarters-level initiatives for building and retaining its acquisition workforce 9 . For\nexample, DHS centralized recruitment and hiring of acquisition personnel, established the\nAcquisition Professional Career Program to hire and mentor procurement interns, created\na tuition assistance program, and structured rotational and development work\nassignments. However, DHS needs time to complete all of these new initiatives. In the\ninterim, personnel shortages will continue to hamper the department\xe2\x80\x99s ability to manage\nits contracts and workload in an effective and efficient manner.\n\n                                                               Modest Progress\nKnowledge Management and Information\nSystems\nDHS made \xe2\x80\x9cmodest\xe2\x80\x9d progress in deploying an enterprise acquisition information system\nand tracking key acquisition data. DHS has not yet fully deployed a department-wide\n(enterprise) contract management system that is interfaced with the financial system. Many\nprocurement offices continue to operate using legacy systems that do not interface with\nfinancial systems. With ten procurement offices and more than $17 billion in annual\nacquisitions and procurement, DHS needs a consolidated acquisition system to improve data\nintegrity, reporting, performance measurement, and financial accountability.\n\nIn recent years, DHS did not ensure contract data was complete and accurate in the Federal\nProcurement Data System-Next Generation (FPDS-NG). 10 This system is the only\nconsolidated information source for analyzing competition on procurements and is relied on\nfor reporting to the public and Congress. DHS has taken steps to comply with May 2008\nguidance, issued by the Office of the Federal Procurement Policy, that requires government\nagencies to develop a plan for improving the quality of acquisition data entered into FPDS\xc2\xad\nNG. For example, DHS developed a standard report format and data quality review plans.\n\n\n\nINFORMATION TECHNOLOGY MANAGEMENT\n\nCreating a unified information technology (IT) infrastructure for effective integration and\nagency-wide management of IT assets and programs remains a challenge for the DHS Chief\nInformation Officer (CIO). The CIO\xe2\x80\x99s successful management of IT across the department\nwill require the implementation of strong IT security controls, coordination of planning and\ninvestment activities across DHS components, and a commitment to ensuring privacy.\n\n\n\n9\n Department of Homeland Security FY 2008 Annual Financial Report.\n\n10\n  DHS-OIG, DHS Contracts Awarded Through Other Than Full and Open Competition during Fiscal Year \n\n2007, (OIG-09-94, August 2009). \n\n\n\n                                                                                                     6\n\x0cSecurity of IT Infrastructure\n\nDuring our FY 2008 Federal Information Security Management Act 11 (FISMA) evaluation,\nwe reported that the department continued to improve and strengthen its security program.\nSpecifically, the department implemented a performance plan to improve on four key areas:\nPlan of Action and Milestones weaknesses remediation, quality of certification and\naccreditation, annual testing and validation, and security program oversight. The department\nalso finalized its Sensitive Compartmented Information Systems Information Assurance\nHandbook, which provides department intelligence personnel with security procedures and\nrequirements to administer its intelligence systems and the information processed.\n\nAlthough the department\xe2\x80\x99s efforts have resulted in some improvements, components are still\nnot executing all of the department\xe2\x80\x99s policies, procedures, and practices. Management\noversight of the components\xe2\x80\x99 implementation of the department\xe2\x80\x99s policies and procedures\nneeds improvement in order for the department to ensure that all information security\nweaknesses are tracked and remediated, and to enhance the quality of system certification\nand accreditation.\n\nAdditional information security program areas that need improvement include configuration\nmanagement, incident detection and analysis, specialized training, and privacy. In 2009, we\nreported 12 that DHS had implemented effective system controls to protect the information\nstored and processed by the department\xe2\x80\x99s unclassified network, LAN-A. DHS ensures that\nnetwork patch management and vulnerability assessments are performed periodically.\nHowever, DHS did not have an effective process to manage its LAN-A privileged accounts\nor ensure that security patches were deployed on all applications. The lack of sufficient\nprocesses increased the risk that LAN-A security controls could be circumvented.\n\nIT Management\n\nThe department faces significant challenges as it attempts to create a unified IT infrastructure\nfor effective integration and agency-wide management of IT assets and programs. Toward\nthat end, DHS has several initiatives underway to improve IT operations and reduce costs.\nOne such program is the development of an enterprise-wide IT disaster recovery program to\nensure that the department\xe2\x80\x99s operations can continue uninterrupted should its IT systems fail.\nWe reported in April 2009 that DHS had made progress in implementing a disaster recovery\nprogram by allocating funds to establish two new data centers. 13 However, we noted that\nmore work was needed to ensure the new data centers were fully capable of meeting the\ndepartment\xe2\x80\x99s significant IT disaster recovery needs.\n\nAnother major IT challenge for the DHS CIO is OneNet, an initiative aimed at consolidating\nexisting IT infrastructures into a wide area network. DHS began work on OneNet in 2005,\nand envisions it will provide the components with secure data, voice, video, tactical radio,\n\n11\n   Title III of the E-Government Act of 2002, Public Law 107-347. \n\n12\n   DHS-OIG, Better Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A,\n\n(OIG-09-55, April 2009). \n\n13\n   DHS-OIG, DHS\xe2\x80\x99 Progress In Disaster Recovery Planning for Information Systems (OIG-09-60, April 2009).\n\n\n\n                                                                                                       7\n\x0cand satellite communications between internal and external DHS resources. We reported in\nSeptember 2009 that DHS has taken various steps to consolidate existing infrastructures into\nOneNet, but faces challenges in completing its OneNet implementation. 14 Specifically, we\nreported that DHS is experiencing delays in meeting its scheduled completion date and that\ncomponents are reluctant to participate and are not subscribing to the implementation of\nOneNet. As a result, DHS may not be able to reach its ultimate goal of consolidating and\nmodernizing its existing infrastructures and achieve cost savings.\n\nComponent CIOs also face significant challenges in their efforts to improve IT management,\nbudgeting, planning, and investment. In July 2009, we reported 15 that U.S. Citizenship and\nImmigration Services (USCIS) strengthened overall IT management by restructuring its\nOffice of Information Technology and realigning its field IT staff. However, the\ndepartment\xe2\x80\x99s efforts to enforce overall IT budget authority and improve agency-wide IT\ninfrastructure have been difficult, due to insufficient staffing and funding. The department\nfinalized its Office of the Chief Information Officer (OCIO) Staffing Plan in April 2009, in\nwhich it has identified the need to ensure sufficient staff with the right skills, security\nclearances and experience.\n\nOur April 2008 audit of the Federal Emergency Management Agency\xe2\x80\x99s (FEMA) efforts to\nupgrade its disaster logistics management systems 16 showed that existing systems did not\nprovide complete asset visibility, comprehensive asset management, or integrated logistics\ninformation. Since this report, FEMA has yet to finalize its logistic, strategic, and\noperational plans to guide logistics activities. In addition, FEMA has not developed\nprocesses and procedures to standardize logistics activities. Without such plans, processes,\nand procedures, selection of IT systems to support logistics activities will remain difficult.\n\nPrivacy\n\nDHS continues to face challenges in ensuring that privacy concerns are properly addressed\nthroughout the lifecycle of each program and information system. For example, our\nSeptember 2009 report 17 identified a need for automated privacy tools to monitor the\nTransportation Security Administration\xe2\x80\x99s (TSA) file servers containing personally\nidentifiable information. Without such tools, TSA\xe2\x80\x99s OCIO manually checked for personally\nidentifiable information leaks on file servers. However, these manual checks did not prevent\nregularly occurring classified data spills and unprotected e-mails containing personnel\ninformation.\n\nWe also reported that TSA made progress in implementing a framework that promotes a\nprivacy culture and complies with federal privacy laws and regulations. Specifically, TSA\ndesignated the Office of Privacy Policy and Compliance to oversee its privacy functions.\n14\n   DHS-OIG, Improved Management and Stronger Leadership are Essential to Complete the OneNet \n\nImplementation (OIG-09-98, September 2009).\n\n15\n   DHS-OIG, U.S. Citizenship and Immigration Services\xe2\x80\x99 Progress in Modernizing Information Technology\n\n(OIG-09-90, July 2009). \n\n16\n   DHS-OIG, Logistics Information Systems Need to be Strengthened at the Federal Emergency Management \n\nAgency, (OIG-08-60, May 2008). \n\n17\n   DHS-OIG, Transportation Security Administration Privacy Stewardship (OIG-09-97, August 2009). \n\n\n\n                                                                                                          8\n\x0cThis office strengthened TSA\xe2\x80\x99s culture of privacy through coordination with managers of\nprograms and systems that contain personally identifiable information to meet reporting\nrequirements, performing Privacy Impact Assessments, preparing public notifications of\nsystems of records, and enforcing privacy rules of conduct. The office also established\nprocesses for reviewing and reporting privacy incidents, issuing public notices, addressing\ncomplaints and redress for individuals, and implementing and monitoring privacy training for\nemployees.\n\nIT Management Scorecard\n\nThe following scorecard demonstrates where DHS\xe2\x80\x99 IT management functions have been\nstrengthened. This high-level assessment identifies progress in six IT management capability\nareas: IT budget oversight, IT strategic planning, enterprise architecture, portfolio\nmanagement, capital planning and investment control, and IT security. These six elements\nwere selected based on IT management capabilities required by federal and DHS guidelines\nfor enabling CIOs to manage IT department-wide.\n\nBased on the consolidated result of the six IT management capability areas, DHS has made\n\xe2\x80\x9cmoderate\xe2\x80\x9d progress in IT Management overall.\n\n\n                          IT MANAGEMENT SCORECARD\n                                                                 Modest Progress\nIT Budget Oversight: ensures visibility into IT\nspending and alignment with the strategic IT direction.\n\n\nThe DHS CIO has made improvements in managing department-wide IT budgets in\naccordance with the Clinger-Cohen Act 18 and the department\xe2\x80\x99s mission and policy\nguidance. The DHS 2009-2013 IT Strategic Plan emphases the importance of Component\nIT spending approval by either the Component-level CIO or the DHS CIO. However,\ngaining a department-wide view of IT spending was difficult due to some Component\nCIOs not having sufficient budget control and insight. For example, our 2009 report 19 on\nU.S. Citizenship and Immigration Services (USCIS) found that it was difficult for the\nUSCIS CIO to perform IT budgeting because business units had direct fee revenue or\nappropriated funds and have not complied with IT budgetary control processes. Due to the\nlimited benefits realized, IT Budget Oversight has made \xe2\x80\x9cmodest\xe2\x80\x9d progress.\n                                                                 Moderate Progress\nIT Strategic Planning: helps align the IT\norganization to support mission and business priorities.\n\n\n\n18\n  Clinger-Cohen Act of 1996, Public Law 104-106, Division E, Subtitle C, February 10, 1996.\n19\n  DHS-OIG, U.S. Citizenship and Immigration Services\xe2\x80\x99 Progress in Modernizing Information Technology,\n(OIG-09-90, July 2009).\n\n\n                                                                                                        9\n\x0c                         IT MANAGEMENT SCORECARD\nAn effective IT strategic plan establishes an approach to align resources and provides a\nbasis for articulating how the IT organization will develop and deliver capabilities to\nsupport mission and business priorities. In January 2009, the department finalized its IT\nStrategic Plan, which aligns IT goals with overall DHS strategic goals. The plan also\nidentifies technology strengths, weaknesses, opportunities, and threats. Due to the\nfinalization and communication of the DHS IT Strategic Plan and plans to align IT with the\ndepartment\xe2\x80\x99s goals, this area has made \xe2\x80\x9cmoderate\xe2\x80\x9d progress.\n                                                                 Moderate Progress\nEnterprise Architecture: functions as a blueprint\nto guide IT investments for the organization.\n\n\nThe Clinger-Cohen Act requires that CIOs develop and implement an integrated IT\narchitecture for the agency to avoid the risk that systems will be duplicative, not well\nintegrated, and limited in optimizing mission performance. DHS has shown continued\nsupport of its enterprise architecture program, and has requested over $100 million of\nfunding for fiscal year 2010. In addition, the DHS IT Strategic Plan identifies a\nperformance measure for the percentage of IT investments reviewed and approved through\nthe Enterprise Architecture Board. This should further promote and enforce alignment of\nIT investments across the department. The department has shown \xe2\x80\x9cmoderate\xe2\x80\x9d progress in\nimplementing its enterprise architecture.\n                                                                  Modest Progress\nPortfolio Management: improves leadership\xe2\x80\x99s\nability to understand interrelationships between IT\ninvestments and department priorities and goals.\n\nThe DHS OCIO has made \xe2\x80\x9cModest\xe2\x80\x9d progress in establishing the department\xe2\x80\x99s portfolio\nmanagement capabilities as instructed by OMB Circular A-130. 20 The DHS portfolio\nmanagement program aims to group related IT investments into defined capability areas to\nsupport strategic goals and missions. Portfolio management improves leadership\xe2\x80\x99s\nvisibility into relationships among IT assets and department mission and goals across\norganizational boundaries.\n\nThe DHS IT Strategic Plan identifies a goal to effectively manage IT capabilities and\nimplement cross-departmental IT portfolios that enhance mission and business\nperformance. Although progress is being made, the department has not identified fully\nopportunities to standardize, consolidate, and optimize the IT infrastructure. Based on the\nlimited benefits realized, the department has shown \xe2\x80\x9cmodest\xe2\x80\x9d progress in implementing\ndepartment-wide portfolio management.\n\n\n\n20\n  Office of Management and Budget Circular A-130, Transmittal 4, Management of Federal Information\nResources, November 2000.\n\n\n                                                                                                     10\n\x0c                         IT MANAGEMENT SCORECARD\n                                                                 Moderate Progress\nCapital Planning and Investment Control:\nimproves the allocation of resources to benefit the\nstrategic needs of the department.\n\nThe Clinger-Cohen Act requires that departments and agencies create a capital planning\nand investment control (CPIC) process to manage the risk and maximize the value of IT\nacquisitions. The CPIC process is intended to improve the allocation of resources to\nbenefit the strategic needs of the department. As part of the CPIC process, agencies are\nrequired to submit business plans for IT investments to OMB demonstrating adequate\nplanning.\n\nTo address this requirement, DHS\xe2\x80\x99 IT Strategic Plan communicated the importance of\nfollowing the IT investment guidance provided by DHS management directive 0007.1. 21\nThis directive supports and expands on the Act\xe2\x80\x99s requirement for technology, budget,\nfinancial, and program management decisions. The department has made \xe2\x80\x9cmoderate\xe2\x80\x9d\nprogress with respect to allocation of resources to benefit its strategic needs.\n                                                                 Moderate Progress\nIT Security: ensures protection that is commensurate\nwith the harm that would result from unauthorized\naccess to information.\n\nDHS IT security is rated at \xe2\x80\x9cmoderate,\xe2\x80\x9d for progress made during the last 3 years in\ncompliance with FISMA. OMB Circular A-130 requires agencies to provide protection\nthat is commensurate with the risk and magnitude of the harm that would result from\nunauthorized access to information and systems assets or their loss, misuse, or\nmodification. Regarding intelligence systems, information security procedures have been\ndocumented and controls have been implemented, providing an effective level of systems\nsecurity.\n\n\nEMERGENCY MANAGEMENT\n\nFEMA\xe2\x80\x99s mission is to support citizens and first responders to ensure that as a nation we work\ntogether to build, sustain, and improve our capability to prepare for, protect against, respond\nto, recover from, and mitigate all hazards. The Post-Katrina Emergency Management\nReform Act of 2006 (Post-Katrina Reform Act), 22 enacted to address shortcomings exposed\nby Hurricane Katrina, expanded the scope of the agency\xe2\x80\x99s mission, enhanced FEMA\xe2\x80\x99s\nauthority and gave it primary responsibility for the four phases of comprehensive emergency\nmanagement: preparedness, response, recovery, and mitigation.\n21\n  DHS Management Directive 0007.1: Information Technology Integration and Management March 2007.\n22\n  Public Law 109-295, Title VI \xe2\x80\x93 National Emergency Management, of the Department of Homeland Security\nAppropriations Act of 2007.\n\n\n                                                                                                    11\n\x0cIn March 2008, we released a report on FEMA\xe2\x80\x99s progress in addressing nine key\npreparedness areas related to catastrophic disasters: overall planning, coordination and\nsupport, interoperable communications, logistics, evacuations, housing, disaster workforce,\nmission assignments, and acquisition management. 23 FEMA\xe2\x80\x99s progress in these areas ranged\nfrom limited to moderate. FEMA officials said their progress was impacted by budget\nshortfalls, reorganizations, inadequate IT systems, and confusing or limited authorities. We\nmade several recommendations for improvements in overall planning, coordination, and\ncommunications. We plan to update this catastrophic assessment in FY 2010.\n\nAs we reported in June 2009, FEMA\xe2\x80\x99s response to Hurricane Ike was well organized and\neffective. Within seven weeks of landfall, FEMA registered more than 715,000 hurricane\nvictims, completed 359,000 housing inspections, installed manufactured housing for 339\nfamilies, and disbursed over $326 million for housing and other needs.24\n\nWhile our emphasis in last year\xe2\x80\x99s scorecard was catastrophic preparedness, this year\xe2\x80\x99s\nscorecard focuses on three key challenges FEMA faces in meeting its broader emergency\nmanagement mission.\n\nEmergency Management\n\nThe following scorecard highlights FEMA\xe2\x80\x99s progress in three key areas: disaster sourcing,\nhousing, and mitigation.\n\nBased on the consolidated result of the three areas presented here, as well as progress made\nin acquisition management and disaster grants management, FEMA has made \xe2\x80\x9cmoderate\xe2\x80\x9d\nprogress in the area of Emergency Management.\n\n\n                  EMERGENCY MANAGEMENT SCORECARD\n                                                                  Moderate Progress\nDisaster Sourcing\n\nWhen disaster strikes, FEMA must be prepared to quickly provide goods and services to\nhelp state and local governments respond to the disaster. Disaster resources, ranging\nfrom water and meals to tarps and blankets, can be provided directly by FEMA, by\nanother federal agency under direction from FEMA, or by the private sector through a\ncontract with FEMA or another federal agency.\n\nIn reviewing FEMA\xe2\x80\x99s use of its four primary sourcing mechanisms: (1) warehoused\ngoods; (2) mission assignments; (3) interagency agreements; and (4) contracts, we\ndetermined that FEMA does not have a clear, overarching strategy that guides decision\nmaking on which of these sourcing mechanisms to use to meet a particular need.\n23\n     DHS-OIG, FEMA\xe2\x80\x99s Preparedness for the Next Catastrophic Disaster, (OIG-08-34, March 2008).\n24\n     DHS-OIG, Management Advisory Report: FEMA\xe2\x80\x99s Response to Hurricane Ike, (OIG-09-78, June 2009).\n\n\n                                                                                                      12\n\x0c               EMERGENCY MANAGEMENT SCORECARD\nFEMA\xe2\x80\x99s disaster sourcing decisions are process driven and not compliant with the\nNational Incident Management System. Decision making is stove-piped within the Joint\nField Office and among various levels of FEMA. This approach does not allow FEMA to\ncentralize disaster sourcing decision making and limits its ability to: (1) implement an\noverarching sourcing strategy; (2) minimize unnecessary duplication; (3) take advantage\nof resource ordering efficiencies; and (4) create transparency and maintain visibility over\nthe entire resource ordering process. 25\n\nWe have also reported that some sourcing decisions are made in response to pressure\nfrom internal and external officials and are not necessarily based on actual need or a\nrequest from the state affected by a disaster. 26 While often well-meaning, the pressure\ncan result in waste when the goods or services are not needed and can be disruptive to the\nsourcing process. Implementing single-point ordering and supporting it with IT systems\nthat provide increased visibility and transparency will allow FEMA to provide a focal\npoint for such input and increase the availability of information on what goods and\nservices have been requested, ordered, and delivered. 27\n\n                                                               Modest Progress\nHousing\n\nWhile FEMA has made strides in a number of areas since hurricanes Katrina and Rita\nstruck the Gulf Coast, there remains room for improvement, including in the critical area\nof disaster housing. 28 FEMA does not yet have sufficient tools, operational procedures,\nand legislative authorities to aggressively promote the cost-effective repair of housing\nstock, an important element of post-disaster housing.\n\nThe repair and restoration of existing housing stocks is one of the most important\nchallenges FEMA and its response and recovery partners face following a catastrophic\nhousing disaster. All other housing decisions and programs hinge on this single variable.\n\nAfter Hurricane Katrina, Congress required FEMA to develop the National Disaster\nHousing Strategy. FEMA issued the strategy in January 2009. The strategy summarizes\nthe sheltering and housing capabilities, principles, and policies that will guide the disaster\nhousing process. The strategy promotes engagement of all levels of government, along\nwith nonprofits, the private sector, and individuals to collectively address the housing\nneeds of disaster victims. The goal is to enable individuals, households, and communities\n\n25\n   DHS-OIG, FEMA\xe2\x80\x99s Sourcing for Disaster Response Goods and Services, (OIG-09-96, August 2009).\n26\n   DHS-OIG, Management Advisory Report: FEMA's Response to Hurricane Ike, (OIG-09-78, June 2009).\n27\n   DHS-OIG, FEMA\xe2\x80\x99s Sourcing for Disaster Response Goods and Services, (OIG-09-96, August 2009).\n28\n   DHS-OIG, Federal Emergency Management Agency\xe2\x80\x99s Exit Strategy for Temporary Housing in the Gulf\nCoast Region, (OIG-09-02, October 2008); DHS-OIG, FEMA Response to Formaldehyde in Trailers, (OIG-09\xc2\xad\n83, June 2009); DHS-OIG, Management Advisory Report: Computer Data Match of FEMA and HUD Housing\nAssistance Provided to Victims of Hurricane Katrina and Rita, (OIG-09-84, June 2009).\n\n\n                                                                                                  13\n\x0c                EMERGENCY MANAGEMENT SCORECARD\nto rebuild and restore their way of life as soon after a disaster as possible.\n\nThe strategy is a positive step forward, but it is only an interim step. It outlines a number\nof potential programs and federal agencies that can help victims find housing solutions.\nHowever, the strategy does not describe what would be a favorable outcome or goal in a\nparticular disaster scenario or include action plans designed to achieve specific goals. To\nbe complete, FEMA\xe2\x80\x99s action plan must specify what constitutes success under\nincreasingly severe disaster scenarios, especially catastrophic disasters.\n\nFEMA must develop better tools and operational procedures to respond effectively to the\nnext disaster, especially a catastrophic disaster that destroys much housing stock. To\nbetter manage expectations and speed housing solutions, FEMA should set achievable\nhousing goals and manage expectations following disasters. It is also critically important\nthat all disaster stakeholders at the federal, state, and local levels maintain momentum\nand continue to implement needed changes over time.\n\nFEMA needs more flexibility to explore innovative and cost-effective solutions to\ndisaster housing challenges. In our report, FEMA\xe2\x80\x99s Sheltering and Transitional Housing\nActivities After Hurricane Katrina, issued in September 2008, we encouraged FEMA to\nexplore alternatives to its traditional housing programs, including providing lump sum\npayments to disaster victims. 29 This could be a more cost-effective and expeditious way\nof returning victims to a more normal way of life.\n                                                                  Modest Progress\nMitigation\n\nMitigation is the effort to reduce loss of life and property by lessening the impact of\ndisasters. In the realm of emergency management, hazard mitigation falls into three\nbroad categories: natural, technological and manmade. Natural hazards are those\ngenerally associated with weather and geological events, such as hurricanes, tornadoes or\nearthquakes. Technological hazards include dams, gas lines and chemical facilities.\nManmade hazards are typically associated with a criminal or terrorist attack using devices\nsuch as an improvised explosive device, biological weapon or chemical weapon.\nFEMA\xe2\x80\x99s Mitigation Directorate manages the National Flood Insurance Program and a\nrange of programs designed to reduce future losses from natural hazards. Other DHS\ncomponents have responsibility for mitigation of technological and manmade hazards.\n\nThe Flood Insurance Reform Act of 2004 was enacted to reduce or eliminate future losses\nto properties in the National Flood Insurance Program by establishing the Repetitive\nFlood Claims and the Severe Repetitive Loss grant programs. Repetitive loss properties\nare insured properties that have incurred two or more flood losses greater than $1,000\nwithin any 10-year period. FEMA and its state and local partners have mitigated nearly\n29\n  DHS-OIG, FEMA\xe2\x80\x99s Sheltering and Transitional Housing Activities After Hurricane Katrina, (OIG-08-93,\nSeptember 2008).\n\n\n                                                                                                        14\n\x0c                  EMERGENCY MANAGEMENT SCORECARD\n15,000 repetitive loss properties since 1978, but an average of 5,188 new repetitive loss\nproperties have been added each year, outpacing FEMA mitigation efforts by a factor of\n10 to 1. 30\n\nMany of the conditions we reported in 2009 regarding the challenges of mitigating\nrepetitive loss properties are the same as those we reported in 2002: (1) FEMA can only\npromote the notion of mitigation and cannot directly compel property owners in flood\nhazard areas to mitigate; (2) mitigation professionals need access to accurate information\nabout repetitive loss properties to better manage the repetitive flood loss problem; and,\n(3) the need to impose actuarial rates on repetitive loss properties is vital to the financial\nindependence of the National Flood Insurance Program. To address these challenges, we\nhave recommended that FEMA apply actuarial insurance rates to properties on leased\nfederal land and implement regulations to expand the use of increased cost of compliance\ncoverage for all qualifying FEMA mitigation programs.\n\nFEMA regulations regarding the implementation of public assistance and mitigation\nprojects located in Coastal Velocity Zones (V Zones) are derived from Executive Order\n11988, which requires federal agencies and responsible entities to avoid direct or indirect\nsupport to floodplain development wherever there is a practicable alternative. However,\nFEMA in practice directly supports community development in V Zones by funding\nrecovery projects and providing insurance under the National Flood Insurance Program to\nproperties located in V Zones. This is a significant management challenge for FEMA\nbecause it must find a balance between meeting the needs of coastal communities while\nnot inadvertently encouraging settlement in floodplains and hazardous coastal areas. As\na result of our review and subsequent recommendations concerning FEMA\xe2\x80\x99s recovery\nassistance and mitigation projects located in Louisiana coastal areas, FEMA is evaluating\nits policies relating to the application of recovery assistance, insurance, and mitigation\nprojects located in V Zones. 31\n\n\nGRANTS MANAGEMENT\nFEMA provides disaster assistance to communities through the Public Assistance Grant\nProgram, the Hazard Mitigation Grant Program, and the Fire Management Assistance Grant\nProgram. Under each of these grant programs, the affected State is the grantee, and the State\ndisburses funds to eligible subgrantees. FEMA also awards grants to state and local\ngovernments; territories; tribal governments; and private, public, profit, and nonprofit\norganizations to enhance preparedness, protection, response, recovery, and mitigation\ncapabilities throughout the Nation. However, improvements are needed in FEMA\xe2\x80\x99s grants\nmanagement and oversight infrastructure to ensure effective monitoring of grantees.\n\n\n\n30\n     DHS-OIG, FEMA\xe2\x80\x99s Implementation of the Flood Insurance Reform Act of 2004, (OIG-09-45, March 2009).\n31\n     DHS-OIG, FEMA Policy Relating to Coastal Velocity Zones, (OIG-09-71, May 2009).\n\n\n                                                                                                      15\n\x0cGiven the billions of dollars appropriated annually for preparedness, disaster, and non-\ndisaster grant programs, DHS needs to ensure that internal controls are in place and adhered\nto, and that grant recipients are sufficiently monitored to achieve successful outcomes. DHS\nshould continue refining its risk-based approach to awarding preparedness grants to ensure\nthat the most vulnerable areas and assets are as secure as possible. Sound risk management\nprinciples and methodologies will help DHS prepare for, respond to, recover from, and\nmitigate acts of terrorism and natural disasters.\n\nGrants Management\n\nThe following scorecard highlights the department\xe2\x80\x99s progress in two key areas: disaster and\nnon-disaster grants management. FEMA is taking steps to improve its grant policies,\nprocedures, systems, and processes which when developed and implemented should\nstrengthen its grants management and oversight infrastructure.\n\nBased on the consolidated result of the two areas presented here, FEMA has made \xe2\x80\x9cmodest\xe2\x80\x9d\nprogress in the area of Grants Management.\n\n\n\n                  GRANTS MANAGEMENT SCORECARD\n                                                             Moderate Progress\nDisaster Grants Management\n\nIn FY 2008, we issued 25 financial assistance (subgrant) audit reports, identifying more\nthan $23 million in questioned costs. As of August 2009, we had issued 41 subgrant\naudit reports in FY 2009, with more than $80 million in questioned costs.\n\nWhile FEMA does not directly manage subgrants, it is incumbent on FEMA to make\ncertain that States, as grantees, understand the rules and regulations that govern disaster\ngrants and ensure that subgrantees adhere to these. We plan to issue a report in early\nFY 2010 that presents some of the most common problems that lead to questioned costs,\nincluding inconsistent interpretation of policies by FEMA personnel and, in the case of\nfire assistance, problems with unsupported charges billed to subgrantees by other federal\nagencies that provided services.\n\n                                                             Modest Progress\nNon - Disaster Grants Management\n\nMonitoring and documenting the effectiveness of DHS\xe2\x80\x99 multitude of grant programs\ncontinue to pose significant challenges for the department. DHS manages more than\n80 disaster and non-disaster grant programs. This challenge is compounded by other\nfederal agencies\xe2\x80\x99 grant programs that assist state and local governments in improving\ntheir abilities to prepare for, respond to, and recover from acts of terrorism or natural\n\n\n                                                                                              16\n\x0c                 GRANTS MANAGEMENT SCORECARD\ndisasters.\n\nImprovements are needed in FEMA\xe2\x80\x99s grants management and oversight infrastructure to\nensure effective monitoring of grantees. Specifically, FEMA does not consistently and\ncomprehensively execute its two major oversight activities, financial and program\nmonitoring. This occurs, in part, because FEMA does not have sufficient grants\nmanagement staff. FEMA has not conducted the analyses and developed the plan of\naction required by Public Law 109-295 Title VI, the Post Katrina Emergency\nManagement Reform Act of 2006 as part of its strategic human capital plan. In addition,\nfinancial and programmatic monitoring policies, procedures, and plans are not\ncomprehensive.\n\nFEMA has formed an Intra-Agency Grants Program Task Force that has developed a\nFEMA Grants Strategy to drive future enhancements in grants policies, procedures,\nsystems, and processes. The task force has identified projects including the development\nof comprehensive grant management monitoring policies and procedures for the FEMA\ndirectorates with program management and oversight responsibilities.\n\nMany states, as grantees, are not sufficiently monitoring subgrantee compliance with\ngrant terms and cannot clearly document critical improvements in preparedness as a\nresult of grant awards. During FY 2009, we issued audit reports on homeland security\ngrants management by Illinois and California. We are currently reviewing\nMassachusetts, Maryland, Missouri, South Carolina, West Virginia, and the District of\nColumbia. These entities generally did an efficient and effective job of administering the\ngrant funds; however, the most prevalent areas needing improvement concerned\nperformance measurement, subgrantee monitoring, financial documentation and\nreporting, and control of expenditure reimbursement requests.\n\n\n\nFINANCIAL MANAGEMENT\nDHS continued to improve financial management in FY 2009, but challenges remain.\nBeginning in FY 2009, our independent auditors performed an integrated financial statement\nand internal control over financial reporting audit limited to the DHS consolidated balance\nsheet and statement of custodial activity. As in previous years, our independent auditors\nwere unable to provide an opinion on those statements because the department could not\nprovide sufficient evidence to support its financial statements or represent that financial\nstatement balances were correct. Additionally, the independent auditors were unable to\nperform procedures necessary to form an opinion on DHS\xe2\x80\x99 internal control over financial\nreporting of the balance sheet and statement of custodial activity due to the pervasiveness of\nthe department\xe2\x80\x99s material weaknesses.\n\n\n\n\n                                                                                             17\n\x0cAlthough the department has continued to remediate material weaknesses and has reduced\nthe number of conditions contributing to the disclaimer of opinion on the financial\nstatements, all six material weakness conditions were repeated in FY 2009. Furthermore, the\nincrease in audit scope related to auditing internal control over financial reporting resulted in\nour independent auditor identifying significant departmental challenges that have a pervasive\nimpact on the effectiveness of internal controls over consolidated financial reporting.\nSpecifically:\n\n   \xe2\x80\xa2\t The department lacks a sufficient number of accounting and financial management\n      personnel with core technical competencies to ensure that its financial statements are\n      presented accurately and in compliance with generally accepted accounting principals\n   \xe2\x80\xa2\t DHS\xe2\x80\x99 accounting and financial reporting infrastructure, including policies,\n       procedures, processes, and internal controls, have not received investments in\n       proportion to the department\xe2\x80\x99s rapid growth in new programs and operations, and\n       changes in mission since the department\xe2\x80\x99s inception;\n\n   \xe2\x80\xa2\t Field and operational personnel do not always share responsibilities for, or are not\n       held accountable for, matters that affect financial management, including adhering to\n       accounting policies and procedures and performing key internal control functions in\n       support of financial reporting;\n   \xe2\x80\xa2\t The department\xe2\x80\x99s financial Information Technology (IT) system infrastructure is\n      aging and has limited functionality, which is hindering the Department\xe2\x80\x99s ability to\n      implement efficient corrective actions and produce reliable financial statements that\n      can be audited.\n\nIT controls and systems functionality conditions at FEMA and ICE deteriorated in FY 2009.\nThe remaining significant component level challenges preventing the department from\nobtaining an opinion on its consolidated balance sheet and statement of custodial activity are\nprimarily at the Coast Guard and TSA. In both FY 2009 and FY 2008, Coast Guard was\nunable to assert to any of its account balances; and TSA was unable to fully support the\naccuracy and completeness of the property, plant, and equipment (PP&E) account balance.\nHowever, the Coast Guard has made limited progress implementing the Financial Strategy\nfor Transformation and Audit Readiness (FSTAR) in FY 2009. As a result, the auditors\nhave been able to perform limited audit procedures over PP&E and actuarial liabilities.\nAdditionally, the FSTAR calls for substantially more progress after FY 2010, especially in\nareas necessary to assert to the completeness, existence, and accuracy of PP&E, actuarial\nliabilities, and fund balance with Treasury balances.\n\nFinancial Management Scorecard\n\nThe following scorecard presents the status of DHS\xe2\x80\x99 effort to address internal control\nweaknesses in financial reporting that were identified in FY 2008. The scorecard is divided\ninto two categories: (1) Military \xe2\x80\x93 Coast Guard and (2) Civilian \xe2\x80\x93 all other DHS\ncomponents. The scorecard lists the six material weaknesses identified during the\nindependent audit of the FY 2008 DHS consolidated balance sheet and statement of custodial\nactivity. These weaknesses continued to exist throughout FY 2009 and were again noted in\n\n                                                                                              18\n\x0cthe FY 2009 independent auditor\xe2\x80\x99s report. For a complete description of the internal control\nweaknesses identified in the FY 2008 audit, see OIG-09-09. 32 To determine the status, we\ncompared the material weaknesses reported by the independent auditor in FY 2008 with\nthose identified in FY 2009. 33 The scorecard does not include other financial reporting\ncontrol deficiencies identified in FY 2009 that do not rise to the level of a material weakness,\nas defined by the American Institute of Certified Public Accountants.\n\nThe ratings are based on a four-tiered scale ranging from limited to substantial progress as\nfollows:\n\n     \xe2\x80\xa2\t Limited: While there may be plans to address internal control weaknesses, few if\n        any have been remediated;\n     \xe2\x80\xa2\t Modest: While some improvements have been made and account balances have been\n        corrected, many systemic internal control weaknesses remain;\n     \xe2\x80\xa2\t Moderate: Many of the internal control weaknesses have been remediated; and\n     \xe2\x80\xa2\t Substantial: Most or all of the internal control weaknesses have been remediated.\n\nBased on the consolidated result of the seven financial management areas included in the\nreport, DHS has made \xe2\x80\x9cmodest\xe2\x80\x9d progress overall in financial management.\n\n\n\n                  FINANCIAL MANAGEMENT SCORECARD\n\nFinancial Reporting and Management: Financial reporting is the process of\npresenting financial data about an agency\xe2\x80\x99s financial position, the agency\xe2\x80\x99s operating\nperformance, and its flow of funds for an accounting period. Financial management is the\nplanning, directing, monitoring, organizing, and controlling of financial resources,\nincluding program analysis and evaluation, budget formulation, execution, accounting,\nreporting, internal controls, financial systems, grant oversight, bank cards, travel policy,\nappropriation-related Congressional issues and reporting, working capital funds, and other\nrelated functions.\n\n\n       Military                Limited Progress\n\n                    The Coast Guard has demonstrated limited progress in remediating the\n                    numerous internal control weaknesses identified by the independent\n                    auditors during FY 2008. Significant control deficiencies contributing to\n                    a material weakness in financial reporting in FY 2008 included: 1) lack\n                    of an effective general ledger system; and 2) lack of effective policies,\n                    procedures, and controls surrounding the financial reporting process. In\n\n32\n   DHS-OIG, Independent Auditors' Report on DHS' FY 2008 Financial Statements, (OIG-09-09, November \n\n2008).\n\n33\n   DHS-OIG, Independent Auditors' Report on DHS' FY 2009 Financial Statements and Internal Control Over \n\nFinancial Reporting, (OIG-10-11, November 2009).\n\n\n\n                                                                                                      19\n\x0c           FINANCIAL MANAGEMENT SCORECARD\n           FY 2008 the Coast Guard revised its FSTAR; however, most of the\n           actions outlined in the FSTAR were scheduled to occur after FY 2008.\n\n           During FY 2009, the independent auditors noted that the Coast Guard\n           continued implementation of its FSTAR and made some progress by\n           completing its planned corrective actions over pension liabilities. This\n           allowed management to make assertions on completeness and accuracy\n           on its accrued liabilities, which represents more than 50 percent of the\n           department\xe2\x80\x99s total liabilities. However, most corrective actions outlined\n           in the FSTAR are scheduled to occur after FY 2009, and consequently\n           many of the financial reporting weaknesses reported in prior years\n           remained as of the end of FY 09.\n\n           Among the conditions at Coast Guard that contribute to a material\n           weakness in this area during FY 2009 is the lack of sufficient financial\n           management personnel to identify and address control weaknesses, and\n           develop and implement effective policies, procedures, and internal\n           controls over financial reporting process.\n\n\nCivilian             Limited Progress\n\n\n           FY 2008, the independent auditors found several internal control\n           weaknesses in financial reporting at FEMA and TSA. Those conditions\n           contributed to qualifications of the auditors\xe2\x80\x99 opinion on the department\xe2\x80\x99s\n           consolidated financial statements.\n\n           Overall, the department has made limited progress in FY 2009 in\n           addressing the internal controls weakness the auditor identified in this\n           financial reporting in FY 2008. FEMA and TSA, which both contributed\n           to a material weakness in this area in FY 2008, have shown only minimal\n           progress in improving the internal control weaknesses. Conditions at\n           CBP have deteriorated in FY 2009, although less severe than at FEMA\n           and TSA. These internal control deficiencies at CBP, FEMA, and TSA\n           have contributed to a material weakness in this area for the department\n           overall in FY 2009.\n\n           Among the deficiencies noted in the FY 2009 independent auditor\xe2\x80\x99s\n           report is that the department lacks a sufficient number of accounting and\n           financial management personnel with core technical competencies to\n           ensure its financial statements are prepared accurately and in compliance\n           with generally accepted accounting principles. This condition was\n           common among CBP, FEMA, and TSA in FY 2009.\n\n\n                                                                                        20\n\x0c                 FINANCIAL MANAGEMENT SCORECARD\n\nInformation Technology Controls and Financial Systems Functionality:\nIT general and application controls are essential for achieving effective and reliable\nreporting of financial and performance data.\n\n      Military              Limited Progress\n\n                  During 2008, the independent auditors identified numerous IT general\n                  control deficiencies, of which nearly all were repeat findings from prior\n                  years. The most significant IT deficiencies that could affect the\n                  reliability of the financials statements related to the development,\n                  implementation, and tracking of scripts, and the design and\n                  implementation of configuration management policies and procedures.\n                  These deficiencies at the Coast Guard contributed to a material weakness\n                  for the department in this area in FY 2008.\n\n                  For FY 2009, the Coast Guard has demonstrated limited progress in\n                  correcting certain IT general control weaknesses identified in previous\n                  years. As a result of the increase in scope of IT testing in FY 2009, the\n                  auditors have identified additional weaknesses that were not reported in\n                  the prior year. Therefore, although the Coast Guard corrected some\n                  deficiencies in IT general controls, the number of IT control weaknesses\n                  increased over the prior year. Over 50 percent of the findings the\n                  auditors identified in FY 2009 were repeat conditions from the prior\n                  year.\n\n                  One key area that remains a challenge for the Coast Guard is its core\n                  financial system configuration management process. For 2009, the\n                  auditors again noted that the configuration management process is not\n                  operating effectively. Financial data in the general ledger may be\n                  compromised by automated and manual changes that are not properly\n                  controlled. The changes are implemented through the use of IT script\n                  process, which was instituted as a solution to address functionality and\n                  data quality issues. However, the controls over the script process were\n                  not properly designed or implemented effectively from the beginning.\n\n\n      Civilian              Limited Progress\n\n                  Overall, DHS has made limited progress in correcting the IT general and\n                  applications control weaknesses identified in the FY 2008 independent\n                  auditor\xe2\x80\x99s report. During FY 2008, FEMA and TSA contributed to an\n                  overall material weakness in IT general and applications control, while\n                  CBP, FLETC, and USCIS all had significant deficiencies in this area.\n\n\n                                                                                              21\n\x0c                FINANCIAL MANAGEMENT SCORECARD\n                 As a result of the increase in scope of the IT testing in FY 2009, the\n                 auditors have identified additional weaknesses that were not reported in\n                 the prior year. Therefore, although the DHS civilian components\n                 corrected some deficiencies in IT general controls, which resulted in the\n                 closure of more than 60 percent of the IT general controls findings\n                 reported in FY 2008, the number of department-wide IT control\n                 weaknesses increased over the prior year, with conditions at FEMA and\n                 ICE deteriorating.\n\n                 The auditors noted that many of the financial systems in use at DHS\n                 components have been inherited from the legacy agencies and have not\n                 been substantially updated since DHS\xe2\x80\x99 inception. As a result, ongoing\n                 financial system functionality limitations are contributing to the\n                 department\xe2\x80\x99s challenges in addressing systemic internal control\n                 weaknesses and strengthening the overall control environment.\n\n                 The FY 2009 independent auditor\xe2\x80\x99s report identified the following areas\n                 that continue to present risks to the confidentiality, integrity, and\n                 availability of DHS\xe2\x80\x99 financial data: 1) excessive access to key DHS\n                 financial applications, 2) application change control processes that are\n                 inappropriate, not fully defined or followed, and are ineffective, and 3)\n                 security management practices that do not fully and effectively ensure\n                 that financial systems are certified, accredited, and authorized to\n                 operation prior to implementation.\n\n\nFund Balance with Treasury (FBwT): FBwT represents accounts held at\nTreasury from which an agency can make disbursements to pay for its operations. Regular\nreconciliation of an agency\xe2\x80\x99s FBwT records with Treasury is essential to monitoring and\nsafeguarding these funds, improving the integrity of various U.S. Government financial\nreports, and providing a more accurate measurement of budget resources.\n\n\n     Military              Limited Progress\n\n                 The Coast Guard has demonstrated limited progress in addressing the\n                 material weaknesses noted in this area in previous years. In FY 2008, the\n                 independent auditors reported a material weakness in internal control\n                 over FBwT at the Coast Guard. During FY 2009, the Coast Guard\n                 corrected some of the control deficiencies related to this area and revised\n                 its remediation plan (FSTAR) to include additional corrective actions,\n                 which are scheduled to occur after FY 2009. Consequently, most of the\n                 conditions which existed in FY 2008 continued to exist throughout FY\n                 2009. For example, the auditors reported that the Coast Guard has not\n\n\n                                                                                             22\n\x0c                 FINANCIAL MANAGEMENT SCORECARD\n                  developed a comprehensive process, to include effective internal\n                  controls, to ensure that all FBwT transactions are recorded in the general\n                  ledger timely, completely, and accurately.\n\n\n      Civilian                     N/A\n\n                  No control deficiencies related to FBwT were identified at the civilian\n                  components in FY 2009. Corrective actions implemented in previous\n                  years continued to be effective throughout FY 2008 and FY 2009.\nProperty, Plant, and Equipment (PP&E) and Operating Materials and\nSupplies (OM&S): DHS capital assets and supplies consist of items such as property,\nplant, and equipment, operating materials; and supplies, including boats and vessels at the\nCoast Guard, passenger and baggage screening equipment at TSA, and stockpiles of\ninventory to be used for disaster relief at FEMA.\n\n\n      Military              Limited Progress\n\n                  The Coast Guard maintains approximately 52 percent of the department\xe2\x80\x99s\n                  property, plant, and equipment (PP&E), including a large fleet of boats\n                  and vessels. In FY 2008, internal control weaknesses related to PP&E at\n                  Coast Guard contributed to a material weaknesses in this area for the\n                  department.\n\n                  For FY 2009, the Coast Guard has demonstrated limited progress overall\n                  in correcting internal control weaknesses related to PP&E identified in\n                  the independent auditor\xe2\x80\x99s report in FY 2008.\n\n                  During FY 2009, the Coast Guard continued implementation of its\n                  remediation plan (FSTAR) to address the PP&E process and control\n                  deficiencies, and began remediation efforts. However, the corrective\n                  actions included in the FSTAR are scheduled to occur over a number of\n                  years. Consequently, most of the material weakness conditions reported\n                  in FY 2008 remained throughout FY 2009. For example, one of the\n                  conditions the auditors identified, which is a repeat from prior years, is\n                  that the Coast Guard has not established its beginning PP&E balance\n                  necessary to prepare the year-end balance sheet.\n\n                  The auditors also identified weaknesses related to operating materials\n                  and supplies (OM&S), which the Coast Guard maintains in significant\n                  quantities. These consist of tangible personal property to be consumed in\n                  normal operation to service marine equipment, aircraft, and other\n                  equipment. The auditors reported that the Coast Guard has not\n\n                                                                                               23\n\x0c                 FINANCIAL MANAGEMENT SCORECARD\n                  implemented policies, procedures, and internal controls to support\n                  financial assertions related to OM&S and related balances for FY 2009.\n\n\n\n      Civilian               Modest Progress\n\n                  DHS has demonstrated modest progress overall in correcting internal\n                  control weaknesses related to capital assets and supplies identified in the\n                  independent auditor\xe2\x80\x99s report in FY 2008. In FY 2008, FEMA, TSA, and\n                  CBP contributed to a material weakness in capital assets and supplies.\n                  The conditions that existed at TSA and FEMA prevented the auditors\n                  from completing their test work in FY 2008 and led to qualifications in\n                  the auditors\xe2\x80\x99 report.\n\n                  While FEMA has fully remediated its internal control weakness in this\n                  area during FY 2009, internal control conditions have deteriorated at\n                  CBP, USCIS, ICE, and NPPD. Although conditions at USCIS, ICE, and\n                  NPPD appear less severe that at CBP and TSA, when taken together,\n                  they contribute to an overall material weakness for the department in this\n                  area for FY 2009.\n\n                  Most of the control weakness conditions in this area are related to PP&E.\n                  Common among the components that contributed to the material\n                  weakness is the lack of adequate accounting policies, procedures,\n                  processes, and controls to properly account for its PP&E.\n\n\nActuarial and Other Liabilities: Liabilities represent the probable and measurable\nfuture outflow or other sacrifice of resources as a result of past transactions or events. The\ninternal control weaknesses reported in this area are related to various types of liabilities,\nincluding accounts and grants payable, legal and actuarial, and environmental liabilities.\n\n\n      Military               Limited Progress\n\n                  The Coast Guard maintains medical and post-employment travel benefit\n                  programs that require actuarial computations to record related liabilities\n                  for financial reporting purposes. Other liabilities include accounts\n                  payable, environmental, and legal liabilities.\n\n                  The Coast Guard was able to make financial statement assertions and\n                  present auditable balances in actuarial pension liabilities, demonstrating\n                  limited progress toward remediation of the control and reporting\n\n\n                                                                                                 24\n\x0c                 FINANCIAL MANAGEMENT SCORECARD\n                  deficiencies that existed in this process in FY 2008. Among the\n                  conditions that remained throughout FY 2009 is that the Coast Guard has\n                  not implemented effective policies, procedures, and controls to ensure\n                  the completeness and accuracy of medical cost data and post-\n                  employment travel claims provided to, and used by, the actuary for the\n                  calculation of the medical and post-employment benefit liabilities.\n\n\n      Civilian             Moderate Progress\n\n                  During FY 2009, the civilian components demonstrated moderate\n                  progress overall in remediating internal control weaknesses related to\n                  actuarial and other liabilities. Significant internal control weaknesses\n                  which the independent auditors identified at FLETC, ICE, and S&T in\n                  FY 2008, and which contributed to a material weakness overall for the\n                  department, were fully remediated in FY 2009. However internal control\n                  deficiencies continue to exist at FEMA and new weaknesses were\n                  identified at TSA during FY 2009. These conditions at FEMA and TSA,\n                  together with the material weakness conditions at the Coast Guard,\n                  resulted in a material weakness for the department overall, in FY 2009.\n\n                  FEMA is recognized as the primary grant-making component of DHS,\n                  and the FY 2009 independent auditor\xe2\x80\x99s report noted that FEMA does not\n                  have sufficient policies and procedures in place to fully comply with the\n                  Single Audit Act Amendments of 1996 and OMB Circular No. A-133,\n                  Audits of States, Local Governments, and Non-profit Organizations.\n                  TSA has numerous types of accounts payable and accrued liabilities that\n                  affect the balance sheet, including Other Transactions Agreements\n                  (OTA). One of the conditions at TSA that contributed to the\n                  department\xe2\x80\x99s material weakness is that TSA has not developed policies\n                  and procedures to accurately estimate OTA accrued liability at year-end.\n\nBudgetary Accounting: Budgetary accounts are a category of general ledger\naccounts where transactions related to the receipt, obligation, and disbursement of\nappropriations and other authorities to obligate and spend agency resources are recorded.\n\n\n      Military              Limited Progress\n\n                  The Coast Guard has made limited progress in this area. Many of the\n                  internal control weaknesses that contributed to a material weakness in\n                  budgetary accounting at the Coast Guard in FY 2008 remained\n                  throughout FY 2009. For example, the FY 2008 Independent Auditors\xe2\x80\x99\n                  Report noted that the policies, procedures, and internal controls over the\n\n\n                                                                                               25\n\x0c                 FINANCIAL MANAGEMENT SCORECARD\n                  Coast Guard\xe2\x80\x99s process for validation and verification of some account\n                  balances are not effective to ensure that recorded amounts are complete,\n                  valid, accurate, and that proper approvals and supporting documentation\n                  is maintained. This weakness continues to exist in FY 2009, and\n                  remediation of these conditions is not planned for the Coast Guard until\n                  after FY 2009.\n\n\n      Civilian              Modest Progress\n\n                  During FY 2008, internal control weaknesses at CBP and FEMA\n                  contributed to a departmental material weakness in this area; the material\n                  weakness continued to exist throughout FY 2009.\n\n                  For FY 2009, the department made modest progress in correcting the\n                  deficiencies that were reported in FY 2008. Although CBP implemented\n                  policies and procedures related to deobligation of funds when contracts\n                  have expired or been completed, management has not been effective in\n                  adhering to these policies or monitoring compliance. CBP has not made\n                  substantial progress in correcting the deficiencies that were reported in\n                  FY 2008. Additionally, although FEMA improved its processes and\n                  internal control over the mission assignment obligation and monitoring\n                  process, some control deficiencies remain.\n\n\nINFRASTRUCTURE PROTECTION\nDHS has direct responsibility for leading, integrating, and coordinating efforts to protect 11\ncritical infrastructure and key resources (CI/KR) sectors: the chemical industry; commercial\nfacilities; critical manufacturing; dams; emergency services; commercial nuclear reactors,\nmaterials, and waste; information technology; telecommunications; postal and shipping;\ntransportation systems; and government facilities. In addition, DHS has an oversight role in\ncoordinating the protection of seven sectors for which other federal agencies have primary\nresponsibility. The seven sectors for which DHS has an oversight role are agriculture and\nfood; the defense industrial base; energy; public health and healthcare; national monuments\nand icons; banking and finance; and water and water treatment systems. The requirement to\nrely on federal partners and the private sector to deter threats, mitigate vulnerabilities, or\nminimize incident consequences complicates protection efforts for all CI/KR. Combined\nwith the uncertainty of the terrorist threat and other manmade or natural disasters, the\nimplementation of protection efforts is a great challenge.\n\nIn our FY 2009 report, Efforts to Identify Critical Infrastructure Assets and Systems, OIG-09\xc2\xad\n86, we reported that the National Protection and Programs Directorate (NPPD) is in the\nprocess of acquiring the Infrastructure Information Collection System, a replacement for the\n\n\n                                                                                               26\n\x0cNational Asset Database. 34 It is envisioned that the Infrastructure Information Collection\nSystem will greatly reduce critical infrastructure risk management gaps by providing\ndynamic information collection systems that include a range of relevant sources. In addition,\nthe Infrastructure Information Collection System will allow relevant critical infrastructure\npartners from federal, state, local, and private entities to access various tools that house\ninfrastructure data. Until this system is fully implemented, decision making regarding CI/KR\nwill continue to be a significant challenge.\n\nConcerning DHS\xe2\x80\x99s efforts to protect the cyber infrastructure, we reported in August 2009\nthat the National Cyber Security Division (NCSD) had implemented its Control Systems\nSecurity Program (CSSP) to coordinate the cybersecurity efforts for control systems between\nthe public and private sectors.35 We reported that while NCSD has made progress in\nimplementing a cybersecurity program for control systems, opportunities exist for\nimprovements to its CSSP. For example, NCSD needs to encourage more information\nsharing of critical infrastructures needs, threats, and vulnerabilities between the public and\nprivate sectors. NCSD also needs to increase the number of cybersecurity vulnerability\nassessments performed in order to reduce the overall risk to current operational control\nsystems.\n\nAlso in FY 2009, we will evaluate how DHS coordinates its infrastructure protection efforts\nwith other federal agencies, state and local governments and industry partners by reviewing\nthe protection of petroleum and natural gas infrastructure within the energy sector. This\nreview will determine (1) to what extent Protective Security Advisors (PSAs) are aligned to\nsupport the NPPD\xe2\x80\x99s primary national preparedness mission and the department\xe2\x80\x99s overall\ncritical infrastructure protection strategy; (2) whether adequate guidance and resources have\nbeen provided to support the PSA program\xe2\x80\x99s growth; (3) the methods that PSAs use in\ncoordinating efforts to identify, prioritize, and assess critical infrastructure and key resources\nwithin the Petroleum and Natural Gas subsectors; (4) how petroleum and natural gas\nstakeholders use the work that is done by PSAs; and (5) the metrics that the PSA Program\nuses to assess its own performance.\n\n\nBORDER SECURITY\nA principle DHS challenge is to secure the borders against all threats, including minimizing\nillegal entry of persons into the U.S. To achieve this goal the U.S. Customs and Border\nProtection (CBP\xe2\x80\x99s) security mission is to obtain operational control of the border. In this\neffort, CBP is implementing the Secure Border Initiative (SBI), a comprehensive multi-year\napproach to controlling the border including immigration enforcement within the United\nStates.\n\nSBInet is the program component of the SBI which will integrate personnel, infrastructure,\ntechnologies, and rapid response capability into a comprehensive border protection system.\nSBInet is intended to give our frontline officers the best possible environment to effectively\n34\n     DHS-OIG, Efforts to Identify Critical Infrastructure Assets and Systems, (OIG-09-86, June 2009).\n35\n     DHS-OIG, Challenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems (OIG-09-95, August 2009).\n\n\n                                                                                                        27\n\x0cdetect, identify and classify, respond to, and resolve situations that compromise border\nsecurity.\n\nCBP faces challenges implementing SBI and SBInet. CBP has not established adequate\ncontrols and effective oversight of contract workers responsible for providing SBI program\nsupport services. Although CBP has recently taken steps to improve SBI program\nmanagement by hiring knowledgeable and experienced program managers, it continues to\nrely heavily on contract personnel, who comprise more than 50% of the SBI workforce.\nAlso, CBP has not provided an adequate number of contracting officer\xe2\x80\x99s technical\nrepresentatives to oversee support services contractors\xe2\x80\x99 performance resulting in contractors\nperforming functions that should be performed by government workers. 36 We are evaluating\ncontrols to ensure effective oversight of the prime contractor\xe2\x80\x99s performance in meeting small\nbusiness goals and SBInet program costs and schedule.\n\nBorder Patrol assessments could better document and define operational requirements for\ntactical infrastructure to ensure that border fence construction is linked to resource decisions\nand mission performance goals. Furthermore, CPB did not complete 56 (77%) of the 73 rapid\nresponse Border Patrol facilities projects it planned to complete in 2008 to support its border\nsecurity mission. These projects include new facilities, modifications to existing facilities,\nand temporary solutions to accommodate new agents and shifting agent deployments. CBP\nalso has not replaced Border Patrol vehicles at the required 20% annual rate and does not\nhave a centralized information system to monitor vehicle availability. CBP initiated several\nactions to improve its design guide, develop a new project management tracking system, and\nupdate the space planning and cost estimation tool. In addition, CBP has taken actions to\nimprove its overall management of vehicles. 37\n\nIn addition, DHS needs to focus on improving the policies, processes, and procedures that\ngovern the management and care of its detainee population. Prior reviews of ICE\xe2\x80\x99s detention\nand removal operations identified deficiencies in the oversight of immigration detention\nfacilities. ICE has made efforts to strengthen the oversight of ICE detention assets by\nestablishing a Detention Facilities Inspection Group (DFIG). The DFIG provides ICE with an\nindependent inspection arm dedicated to oversight of ICE\xe2\x80\x99s Detention and Removal Operations\n(DRO) program. Additionally, ICE has contracted with private companies to provide on-site\ncompliance verification of the Performance-Based National Detention Standards at all ICE\ndetention facilities. However, we recently reported that ICE could further improve\ndocumenting the transfer of immigrant detainees and ensuring they received timely medial\nscreenings and physical examinations, required by detention standards.38 Additionally, ICE\n\n\n\n\n36\n   DHS-OIG, Better Oversight Needed of Support Services Contractors in Secure Border Initiative Programs,\n\n(OIG-09-80, June 2009); and DHS-OIG, Progress in Addressing Secure Border Initiative Operational\n\nRequirements and Constructing the Southwest Border Fence, (OIG-09-56, April 2009).\n\n37\n   DHS-OIG, CBP\xe2\x80\x99s Construction of Border Patrol Facilities and Acquisition of Vehicles, (OIG-09-91, July \n\n2009).\n\n38\n   DHS-OIG, Immigration and Customs Enforcement's Tracking and Transfers of Detainees, (OIG-09-41, \n\nMarch 2009). \n\n\n\n                                                                                                         28\n\x0cneeds to determine whether its approach to managing the detention facility bed space is cost\xc2\xad\neffective. 39\n\n\nTRANSPORTATION SECURITY\nThe nation\xe2\x80\x99s transportation system is vast and complex, consisting of about 3.9 million miles\nof roads, over 100,000 miles of rail, almost 600,000 bridges, over 300 sea ports, over 2\nmillion miles of pipeline, about 500 train stations, and over 5,000 public-use airports. The\nsize of the transportation system, which moves millions of passengers and tons of freight\nevery day, makes it both an attractive target for terrorists and difficult to secure. The nation\xe2\x80\x99s\neconomy depends upon implementation of effective, yet efficient transportation security\nmeasures. The Transportation Security Administration (TSA) is responsible for protecting\nthe transportation system and ensuring the freedom of movement for people and commerce.\nGiven the \xe2\x80\x9copen\xe2\x80\x9d environment, effective security strategies must be established, while\nmaintaining quick and easy access for passengers and cargo. Since its inception, TSA has\nfaced challenges with strengthening security for aviation, mass transit and other modes of\ntransportation. TSA has made progress in addressing these challenges; however more needs to\nbe done.\n\nCheckpoint and Checked Baggage\n\nThe Aviation and Transportation Security Act 40 requires TSA to prescribe requirements for\nscreening or inspecting all passengers, goods, and property before entry into the sterile areas\nof an airport. Our undercover audit of checked baggage screener performance revealed that\nimprovements are needed in the screening process to ensure that dangerous prohibited items\nthat enter the checked baggage system are not cleared for loading onto a passenger aircraft. 41\nWe recently issued a classified report on our unannounced, covert testing using fake law\nenforcement badges and credentials at selected domestic airports. 42 We tested equipment\nand techniques at the screening checkpoint to assess how well TSA is addressing the related\nchallenges. We released a report on TSA\xe2\x80\x99s controls over screener uniforms, badges, and\nidentification cards 43 and determined that TSA does not have adequate controls in place to\nmanage and account for airport security identification display area badges, TSA uniforms,\nand TSA identification cards. Unauthorized individuals\xe2\x80\x99 access to those items increases an\nairport\xe2\x80\x99s level of risk to a wide variety of terrorist and criminal acts.\n\n\n\n\n39\n   DHS-OIG, Immigration and Customs Enforcement Detention Bedspace Management, (OIG-09-52, April \n\n2009).\n\n40\n   Public Law 107-71, November 19, 2001. \n\n41\n   DHS-OIG, Audit of the Effectiveness of the Checked Baggage Screening System and Procedures Used to \n\nIdentify and Resolve Threats, (OIG-09-42, March 2009). \n\n42\n   DHS-OIG, Penetration Testing of Law Enforcement Credentials Used to Bypass Screening, (OIG-09-99, \n\nSeptember 2009 \xe2\x80\x93 Classified \xe2\x80\x9cSecret\xe2\x80\x9d.) \n\n43\n   DHS-OIG, TSA\xe2\x80\x99s Controls over SIDA Badges, Uniforms, and Identification Cards, (OIG-08-92, September \n\n2008).\n\n\n\n                                                                                                      29\n\x0cPassenger Air Cargo Security\n\nApproximately 7,500 tons of cargo are carried on passenger planes each day. Federal\nregulations (49 CFR) require that, with limited exceptions, passenger aircraft may only\ntransport cargo originating from a shipper that is verifiably \xe2\x80\x9cknown\xe2\x80\x9d either to the aircraft\noperator or to the indirect air carrier that has tendered the cargo to the aircraft operator. Our\naudit determined that the criteria and guidance for evaluating a known shipper are unclear\nand subject to interpretation, increasing the risk that shippers may be improperly classified as\nknown. 44 TSA\xe2\x80\x99s inspection and testing activities do not provide adequate assurance that\nregulated entities are complying with the program\xe2\x80\x99s requirements. Our report contained six\nrecommendations to strengthen the controls and oversight of the program, including\nproviding better criteria and guidance and improving inspection and testing activities. TSA\ngenerally concurred with all six recommendations in our report.\n\nRail and Mass Transit\n\nRecent events on the rail and transit systems in Washington DC, including a derailment, fire,\nand crash, have raised questions regarding the mass transit agencies\xe2\x80\x99 contingency plans and\nthe ability to handle these basic issues, as well as major emergencies. The Aviation and\nTransportation Security Act assigned TSA the responsibility to secure all modes of\ntransportation in the United States. During emergencies, transit agencies rely on well-\ndesigned and regularly practiced drills and exercises to respond and recover rapidly. TSA\ncreated the Surface Transportation Security Inspection Program in 2005 to provide oversight\nand assistance to surface transportation modes. Surface Transportation Security Inspectors\nact as assessors, advisors, and liaisons, primarily in the mass transit and freight rail modes.\n\nIn our FY 2009 report, Effectiveness of TSA\xe2\x80\x99s Surface Transportation Security Inspectors,\nOIG-09-24, we reported that TSA is improving security in the mass transit and freight rail\nmodes through the inspection program. Inspectors help bus and passenger rail stakeholders\nidentify security gaps through Baseline Assessment for Security Enhancement reviews. They\nincrease TSA\xe2\x80\x99s domain awareness by producing station profiles and by acting as liaisons\nbetween the Transportation Security Operations Center and transportation systems. They\nalso participate in Visible Intermodal Prevention and Response exercises, which provide an\nunannounced, high-visibility presence in a mass transit or passenger rail environment. TSA\nfaces important challenges in improving the effectiveness of the Surface Transportation\nSecurity Inspectors.\n\nAs TSA expands its presence in non-aviation modes, it must look critically at how it is\ndeploying resources. TSA must continue to assess how planned exercises can better use the\ninspectors and their activities.\n\n\n\n\n44\n     DHS-OIG, TSA\xe2\x80\x99s Known Shipper Program, (OIG-09-35, March 2009).\n\n\n                                                                                              30\n\x0cTRADE OPERATIONS AND SECURITY\n\nCBP is primarily responsible for trade operations and security, with the support of the Coast\nGuard and ICE. In 2008, approximately 11 million oceangoing cargo containers arrived at\nthe nation\xe2\x80\x99s seaports. CBP typically processes more than 70,000 truck, rail, and sea\ncontainers per day, along with the personnel associated with moving this cargo across U.S.\nborders or to U.S. seaports. Modernizing trade systems, using resources efficiently, and\nmanaging and forging partnerships with foreign trade and customs organizations pose\nsignificant challenges for CBP and DHS.\nTo manage the threat and ensure the security of this large volume of maritime cargo, CBP\nemploys a multilayered approach including analyzing screening shipment information, and\nusing targeting systems to identify the highest risk cargo on which to focus its limited\nresources. An effective inspection process includes the screening of shipping information,\nnonintrusive inspections, and physical examinations. The Automated Targeting System\n(ATS), which uses a complex model of weighted rules, assists CBP officers in screening\nshipping information and selecting shipments for inspection.\n\nWhile targeting high risk shipments continues to be challenge for CBP, it can improve its\noperations by updating its guidance relating to the physical examinations of high-risk cargo\ncontainers that may contain biological, chemical, nuclear, and radiological threats. In\naddition, CBP should conduct a risk assessment to determine which pathways, including\nmaritime cargo, pose the highest risk of biological and chemical weapons entering the\nNation. 45\n\nWe also reviewed DHS\xe2\x80\x99 planning, management oversight, and implementation of security\nmeasures to protect against small vessel threats. 46 Overall, the department has made progress\nin the area of small vessel security, but more remains to be done to provide effective\nguidance and programs to address small vessel threats and the potential impact these threats\ncould have on our nation\xe2\x80\x99s ports and trade operations. DHS should address all the desirable\ncharacteristics and elements of an effective national strategy in its Small Vessel Security\nStrategy and implementation plan and it should evaluate the effectiveness of programs\nintended to support small vessel security before including them as part of a solution to\nimprove security against the small vessel threats.\n\nAdditionally, one of the most significant challenges that remain is CBP\xe2\x80\x99s efforts to\nimplement Section 1701 of the Implementing Recommendations of the 9/11 Commission Act\nof 2007, which requires DHS to screen all cargo headed for the United States that is loaded\non or after July 1, 2012. To meet the goal of 100% screening, CBP has implemented the\nSecure Freight Initiative to screen 100% of cargo from select ports. However, there are\n\n45\n   DHS-OIG, CBP\xe2\x80\x99s Ability to Detect Biological and Chemical Threats in Maritime Cargo Containers, (OIG\xc2\xad\n10-01, October 2009).\n\n46\n   DHS-OIG, DHS\xe2\x80\x99 Strategy and Plans to Counter Small Vessel Threats Need Improvement, (OIG-09-100, \n\nSeptember 2009). \n\n\n\n                                                                                                      31\n\x0cnumerous challenges that remain before this can be implemented for all cargo inbound to the\nU.S. Chief among these challenges is obtaining international agreements for 100% scanning\nand working with the international community to resolve issues concerning resources, costs,\ntiming, and enforcement considerations.\n\n\n\n\n                                                                                         32\n\x0cAppendix A\nReport Distribution\n\n\n      Department of Homeland Security\n\n      Secretary\n      Deputy Secretary\n      Chief of Staff for Operations\n      Deputy Chief of Staff for Policy\n      Deputy Chiefs of Staff\n      General Counsel\n      Executive Secretariat\n      Director, GAO/OIG Liaison Office\n      Assistant Secretary for Office of Policy\n      Assistant Secretary for Office of Public Affairs\n      Assistant Secretary for Legislative Affairs\n      Under Secretary Management\n      Chief Financial Officer\n      Chief Information Officer\n      Chief Security Officer\n      Chief Privacy Officer\n\n      Office of Management and Budget\n\n      Chief, Homeland Security Branch\n      DHS OIG Budget Examiner\n\n      Congress\n\n      Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\n                                                                              33\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c"